Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for veeam_service_provider_console by veeam

    CVE-2024-45206 (GCVE-0-2024-45206)

    Vulnerability from nvd – Published: 2024-12-04 01:06 – Updated: 2025-03-13 18:36
    VLAI
    Summary
    A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Veeam Service Provider Console Affected: 8.0 , ≤ 8.0 (semver)
    Create a notification for this product.
    veeam service_provider_console Affected: 8.0 , ≤ 8.0.0.19552 (custom)
        cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "service_provider_console",
                "vendor": "veeam",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.19552",
                    "status": "affected",
                    "version": "8.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45206",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T16:04:40.305592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T18:36:04.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Service Provider Console",
              "vendor": "Veeam",
              "versions": [
                {
                  "lessThanOrEqual": "8.0",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-04T01:06:04.650Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://www.veeam.com/kb4649"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2024-45206",
        "datePublished": "2024-12-04T01:06:04.650Z",
        "dateReserved": "2024-08-23T01:00:01.061Z",
        "dateUpdated": "2025-03-13T18:36:04.573Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-29212 (GCVE-0-2024-29212)

    Vulnerability from nvd – Published: 2024-05-13 01:07 – Updated: 2024-08-02 01:10
    VLAI
    Summary
    Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Veeam Service Provider Console Affected: 8 , ≤ 8 (semver)
    Affected: 7 , ≤ 7 (semver)
    Create a notification for this product.
    veeam service_provider_console Affected: 7
    Affected: 8
        cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "service_provider_console",
                "vendor": "veeam",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7"
                  },
                  {
                    "status": "affected",
                    "version": "8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-29212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-13T11:57:03.814114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:58:16.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:10:54.643Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.veeam.com/kb4575"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Service Provider Console",
              "vendor": "Veeam",
              "versions": [
                {
                  "lessThanOrEqual": "8",
                  "status": "affected",
                  "version": "8",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "7",
                  "status": "affected",
                  "version": "7",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to an  unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-13T01:07:49.112Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://www.veeam.com/kb4575"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2024-29212",
        "datePublished": "2024-05-13T01:07:49.112Z",
        "dateReserved": "2024-03-19T01:04:06.323Z",
        "dateUpdated": "2024-08-02T01:10:54.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-45206 (GCVE-0-2024-45206)

    Vulnerability from cvelistv5 – Published: 2024-12-04 01:06 – Updated: 2025-03-13 18:36
    VLAI
    Summary
    A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Veeam Service Provider Console Affected: 8.0 , ≤ 8.0 (semver)
    Create a notification for this product.
    veeam service_provider_console Affected: 8.0 , ≤ 8.0.0.19552 (custom)
        cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "service_provider_console",
                "vendor": "veeam",
                "versions": [
                  {
                    "lessThanOrEqual": "8.0.0.19552",
                    "status": "affected",
                    "version": "8.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45206",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-04T16:04:40.305592Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-918",
                    "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-13T18:36:04.573Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Service Provider Console",
              "vendor": "Veeam",
              "versions": [
                {
                  "lessThanOrEqual": "8.0",
                  "status": "affected",
                  "version": "8.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-04T01:06:04.650Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://www.veeam.com/kb4649"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2024-45206",
        "datePublished": "2024-12-04T01:06:04.650Z",
        "dateReserved": "2024-08-23T01:00:01.061Z",
        "dateUpdated": "2025-03-13T18:36:04.573Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-29212 (GCVE-0-2024-29212)

    Vulnerability from cvelistv5 – Published: 2024-05-13 01:07 – Updated: 2024-08-02 01:10
    VLAI
    Summary
    Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    Veeam Service Provider Console Affected: 8 , ≤ 8 (semver)
    Affected: 7 , ≤ 7 (semver)
    Create a notification for this product.
    veeam service_provider_console Affected: 7
    Affected: 8
        cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:veeam:service_provider_console:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "service_provider_console",
                "vendor": "veeam",
                "versions": [
                  {
                    "status": "affected",
                    "version": "7"
                  },
                  {
                    "status": "affected",
                    "version": "8"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-29212",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-13T11:57:03.814114Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:58:16.449Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T01:10:54.643Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.veeam.com/kb4575"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Service Provider Console",
              "vendor": "Veeam",
              "versions": [
                {
                  "lessThanOrEqual": "8",
                  "status": "affected",
                  "version": "8",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "7",
                  "status": "affected",
                  "version": "7",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to an  unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-13T01:07:49.112Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "url": "https://www.veeam.com/kb4575"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2024-29212",
        "datePublished": "2024-05-13T01:07:49.112Z",
        "dateReserved": "2024-03-19T01:04:06.323Z",
        "dateUpdated": "2024-08-02T01:10:54.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }